b'OFFICE OF INSPECTOR GENERAL \n\n\nAUDIT OF THE OVERSEAS\nPRIVATE INVESTMENT\nCORPORATION\'S FISCAL YEAR\n2014 COMPLIANCE WITH THE\nFEDERAL INFORMATION\nSECURITY MANAGEMENT ACT\nOF 2002\nAUDIT REPORT NO. A-OPC-14-007-P\nSEPTEMBER 11, 2014\n\nWASHINGTON, D.C.\n\x0cThis is our summary report on the "Audit of the Overseas Private Investment Corporation\'s\nFiscal Year 2014 Compliance With the Federal Information Security Management Act of 2002"\n(Audit Report No. A-OPC-14-007-P). The Federal Information Security Management Act of 2002\n(FISMA) requires agencies to develop, document, and implement an agency-wide information\nsecurity program to protect their information and information systems, including those provided\nor managed by another agency, contractor, or other source. The act also requires agencies to\nhave an annual assessment of their information systems.\n\nThe USAID Office of Inspector General (OIG) contracted with CliftonlarsonAllen LLP (Clifton) to\nconduct the audit in accordance with U.S. Government auditing standards. The objective was to\ndetermine whether the Overseas Private Investment Corporation (OPIC) implemented selected\nsecurity controls for selected information systems in support of FISMA.\n\nTo answer the audit objective, Clifton assessed whether OPIC implemented selected\nmanagement, technical, and operational controls outlined in National Institute of Standards and\nTechnology Special Publication 800-53, Security and Privacy Controls for Federal Information\nSystems and Organizations, Revision 4. Clifton performed audit fieldwork at OPIC\'s\nheadquarters in Washington, D.C., from June 4 through July 17, 2014.\n\nThe audit concluded that OPIC implemented 74 of 78 selected security controls in support of\nFISMA. For example, OPIC did the following:\n\n\xe2\x80\xa2 \t Categorized its information systems and the information processed, stored, or transmitted in\n    accordance with federal guidelines, and designated senior-level officials within the\n    organization to review and approve the security categorizations.\n\n\xe2\x80\xa2 \t Implemented an effective incident handling and response program.\n\n\xe2\x80\xa2 \t Maintained an effective specialized training program for employees who need role-based\n    training.\n\n\xe2\x80\xa2 \t Established appropriate segregation of duties within OPICNet, the corporation\'s general\n    support system.\n\nClifton concluded that, although OPIC generally had policies for its information security program,\nits implementation of those policies was not always effective enough to preserve the\nconfidentiality, integrity, and availability of the corporation\'s information and information\nsystems. Based on Clifton\'s report, OIG made six recommendations to help OPIC strengthen its\ninformation security program and one to address a weakness in the recommendation closure\nprocess. Management decisions were made on all seven recommendations.\n\x0cU.S. Agency for International Development \n\n       Office of Inspector General \n\n      1300 Pennsylvania Avenue, NW \n\n          Washington, DC 20523 \n\n            Tel: 202-712-1150 \n\n            Fax: 202-216-3047 \n\n           http://oig.usaid.gov \n\n\x0c'